Kia ora koutou,
The Office of the Privacy Commissioner of New Zealand participated in a global effort to highlight illegal scraping of personal information from publicly accessible sources like such as social media platforms, referred to as "data scraping." The OPC issued a joint statement with the privacy authorities of Australia, Canada, the U.K., Hong Kong, Switzerland, Norway, Colombia, Morocco, Argentina, Mexico and Jersey. The statement delivers the following key takeaways:
- Publicly accessible personal information is still subject to data protection and privacy laws in most jurisdictions.
- Social media companies and operators of websites that host publicly accessible personal information have obligations, under data protection and privacy laws, to protect personal information on their platforms from unlawful data scraping.
- Mass data-scraping incidents that harvest personal information can constitute reportable data breaches in many jurisdictions.
- Individuals can also take steps to protect their personal information from data scraping, and social media companies play a role in enabling users to engage with their services in a privacy protective manner.
To put this statement into local context, I thought it might be helpful to work through the application of the Aotearoa information privacy principles relevant to the practice of data scraping. Note Aotearoa agencies sometimes show complacency in relation to the collection and use of publicly available personal information, demonstrating a general view that such information is not subject to the Privacy Act at all.
- IPP 1: Scope of collection. An agency must limit the personal information it collects to that which is necessary for a lawful purpose connected with its functions. There are no exceptions to this principle, which means it applies to the collection of personal information from publicly accessible sources. So, the indiscriminate scraping of personal information from online sources is likely to breach IPP 1.
- IPP 2: Source of information. An agency must collect personal information directly from the individual concerned, unless it can rely on an exception to collect the information from another source. One exception permits noncompliance with IPP 2 if the information is publicly available information. So, data scraping is generally likely to comply with IPP 2.
- IPP 3: Transparency. An agency that collects personal information directly from an individual must provide privacy notice to that individual. At present, this obligation applies only to direct collections, not collections from third parties, including publicly accessible sources. So, currently, data scraping would not engage IPP 3.
However, the Ministry of Justice is considering expanding IPP 3 to also apply to the collection of personal information from third parties, also referred to as "indirect collection." If this amendment is made, agencies conducting data scraping will need to comply with IPP 3, which may cause many agencies to rethink the value of such a practice. - IPP 4: Manner of collection. An agency must not collect personal information in ways that are unlawful, unfair or unreasonably intrusive ways. Given the indiscriminate nature of data scraping as a practice, and the currently high likelihood that individuals are unaware it is taking place, the argument that data scraping is unfair and unreasonably intrusive, and would breach IPP 4 could easily be made.
- IPP 8: Accuracy. An agency must take reasonable steps to ensure personal information is accurate, up to date and relevant before using or sharing it. There are no exceptions to this principle, which means it applies to the use or onward disclosure of personal information collected from publicly accessible sources. So, the careless use or sharing of personal information obtained through data scraping that significantly impact the person concerned could breach IPP 8.
- IPP 9: Retention. An agency must not retain personal information for longer than necessary. There are no exceptions to this principle, which means it applies to personal information collected from publicly accessible sources. So, an agency that conducts data scraping cannot simply hold on to that data indefinitely in hopes that it might come in handy later.
- IPP 10: Use. An agency must use personal information only for the purposes for which it was collected. One exception permits secondary uses of personal information if the information was collected from a publicly accessible source. However, this exception is limited to fair and reasonable uses in the circumstances. So, data scraping for purposes that could have a negative impact on the individuals concerned would be likely to breach IPP 10.
- IPP 11: Disclosure. An agency must not disclose personal information unless an exception applies to permit that disclosure. One exception permits the disclosure of personal information if that information was collected from a publicly accessible source. However, as with IPP 10, this exception is limited to disclosures that would not be unfair or unreasonable in the circumstances. So, the disclosure of personal information obtained via data scraping in ways that could negatively impact the individuals concerned would be likely to breach IPP 11.
On the basis of this brief analysis, it is apparent personal information being publicly available is by no means a "get out of jail free card" with respect to Privacy Act application and compliance. Agencies conducting data scraping activities with Aotearoa data will have quite a job complying with the IPPs, such that many may decide not to engage in this practice at all.